Abstract

Digital signatures are one of the most important cryptographic primitives. In this work we construct an information-theoretically secure signature scheme which, unlike prior schemes, enjoys a number of advantageous properties such as short signature length and high generation efficiency, to name two. In particular, we extend symmetric-key message authentication codes (MACs) based on universal hashing to make them transferable, a property absent from traditional MAC schemes. Our main results are summarised as follows.

We construct an unconditionally secure signature scheme which, unlike prior schemes, does not rely on a trusted third party or anonymous channels.

We prove information-theoretic security of our scheme against forging, repudiation, and non-transferability.

We compare our scheme with existing both “classical” (not employing quantum mechanics) and quantum unconditionally secure signature schemes. The comparison shows that our new scheme, despite requiring fewer resources, is much more efficient than all previous schemes.

Finally, although our scheme does not rely on trusted third parties, we discuss this, showing that having a trusted third party makes our scheme even more attractive.

Keywords

A Security Definitions

In this section we formally define security in USS protocols. We begin by defining the notion of a dispute resolution process.

In the messaging stage of the protocol all participants are able to check the validity of a message-signature pair without communicating with any other participant. Nevertheless, there may still be scenarios in which disagreements arise regarding whether a message is valid or not. For example, the sender may deny having ever sent a message, even though a recipient who (allegedly) followed the correct procedure found the message to be valid. In these cases, the participants need a method of deciding who is telling the truth. This is done via the dispute resolution process.

Definition 6

When the validity of a message-signature pair \((m,\sigma )\) is in dispute, we invoke a majority vote dispute resolution method \(MV (m,\sigma )\), defined by the following rule:

where \(Ver _{(i,-1)}(m, \sigma )\) is the verification function at level \(l=-1\).

Essentially, all participants check the message-signature pair at level \(-1\) and the majority decision prevails. The \(l=-1\) verification level is only used in dispute resolution, and not in normal runs of the protocol. The dispute resolution process is expensive, as it requires all participants to communicate to decide whether the message is valid or not. It is expected that even dishonest participants would not try to force dispute resolution, since losing would come with consequences and the procedure ensures that honest participants prevail as long as they are in the majority. Dispute resolution should be thought of as akin to taking legal action; in the vast majority of cases it does not happen, but its existence is necessary to prevent dishonesty.

Signature schemes must be secure against three types of security threat – forging, repudiation and non-transferability.

Definition 7

(Forging). Let \(\mathcal {Q}\) be an USS protocol and let \(C \subset \mathcal {P}\) be a coalition of malevolent parties, not including the signer \(P_0\). Suppose that the coalition holds any valid message-signature pair \((m,\sigma )\) and can use this to output a message-signature pair \((m^\prime , \sigma ^\prime )\) with \(m^\prime \ne m\). We define \(Forging \) to be the function:

Definition 8

(Non-Transferability). Let \(\mathcal {Q}\) be an USS protocol and \(C \subset \mathcal {P}\) a coalition of malevolent participants including the signer \(P_0\). Suppose that C outputs a message-signature pair \((m,\sigma )\) and a verification level l. We define Non-Transferability to be the function:

Definition 9

(Repudiation). Let \(\mathcal {Q}\) be an USS protocol and \(C \subset \mathcal {P}\) a coalition of malevolent participants including the signer \(P_0\). Suppose that C outputs a message-signature pair \((m,\sigma )\) and a verification level l. We define \(Repudiation \) to be the function:

We say that the protocol is secure against forging/non-transferability/repudiation if the probability of a dishonest coalition being successful decays exponentially fast with respect to some security parameter.

B Security Proofs

In order to break the transferability of the protocol, a coalition C (which includes the signer \(P_0\)) must generate a signature that is accepted by recipient \(P_i \notin C\) at level l, while also being rejected by another recipient \(P_j\notin C\) at a level \(l^\prime < l\).

The task of the coalition is easiest if \(l^\prime = l-1\) and so we consider this case in what follows. To provide an upper bound, we allow for the biggest coalition C that includes \(Nd_R\) recipients and the sender, i.e. all the dishonest participants. For simplicity, again we will fix the participants whom the coalition is trying to deceive to be the honest participants \(P_i\) and \(P_j\), while all other honest participants are labelled with the index h. In general, transferability fails if the coalition forms a signature that is not transferable for at least one pair of honest participants \((P_i,P_j)\). Therefore, we should take into account all possible pairs of honest participants. We begin by focusing on the case of a fixed pair of participants, and at the end we give the more general expressions.

The first step is to compute \(p_{m_{l,l-1}}\), which is the probability that: (i) test \(T^m_{i,h,l}\) is passed (i.e. the tags sent from honest participant \(P_h\) to recipient \(P_i\) are accepted at level l); and (ii), the test \(T^m_{j,h,l-1}\) fails (i.e. the tags sent from honest participant \(P_h\) to recipient \(P_j\) are rejected at level \(l-1\)). Since the sender \(P_0\) is dishonest, it can be assumed that the coalition know all the signature functions. However, they are unaware of the sets \(R_{h\rightarrow i}\) and \(R_{h\rightarrow j}\). Therefore, the coalition can control the number of mismatches the signature will make with the signature functions originally sent to \(P_h\), but they cannot separately bias the number of mismatches the signature will make with the functions in \(F_{h\rightarrow i}\) and \(F_{h\rightarrow j}\). Therefore, when participants \(P_i\) and \(P_j\) test the functions sent to them by an honest participant \(P_h\), they will both have the same expected fraction of mismatches; we call this fraction \(p_e\).

The probability of passing the test at level l when \(p_e>s_l\) can be bounded using Hoeffding’s inequalities to be below \( \exp (-2(p_e-s_l)^2k). \) The probability of failing the test at level \(l-1\) when \(p_e<s_{l-1}\) can similarly be bounded to be smaller than \( \exp (-2(s_{l-1}-p_e)^2k). \) Note that \(s_{l-1} > s_l\) and so the above two cases cover all possible values for \(p_e\). Since we are taking the minimum over both cases, the optimal choice for the coalition is to have these probabilities equal to each other. This is achieved by choosing \(p_e = (s_l + s_{l-1})/2\). In this case we obtain the bound \( p_{m_{l, l-1}} \le \exp \left( -\frac{(s_{l-1} - s_l)^2}{2}k\right) , \) which decays exponentially with k.

For a test that involves a member of C it is trivial for the coalition to make two recipients disagree in any way they wish, i.e. they can make \(T^m_{i,c,l}\) and \(T^m_{j,c,l-1}\) take any values they wish. However, the number of those tests is at most \(Nd_R\), which is the maximum number of recipients in the coalition. For the participant \(P_i\) to accept a message at level l, he needs strictly greater than \(N\delta _l\) of the tests to pass at this level. On the other hand, for the participant \(P_j\) to reject the message at level \(l-1\), less than or equal to \(N\delta _{l-1}\) of tests must pass at this level. Therefore, since it holds that \(\delta _l = \delta _{l-1} + d_R\), in order for the coalition to be successful, the honest participants \(P_i\) and \(P_j\) need to disagree on at least \(N d_R + 1\) tests. As we saw, the coalition can easily make them disagree on the \(Nd_R\) tests originating from coalition members, but they still have to disagree on at least one more test originating from an honest recipient. There are \(N(\delta _l - d_R) +1\) such tests (tests originating from an honest recipient that were passed by \(P_i\)), and the \(P_j\) need only reject one of them for the coalition to succeed. Therefore, we have